Enrich threat observables with VirusTotal

Latest Dynatrace
How-to guide

Enrich threat observables with VirusTotal and analyze them in Dynatrace.

Get started

Overview

The Dynatrace integration with VirusTotal brings threat intelligence context into alerts and detection investigations to help organizations combat online abuse, such as cyber-attacks, spamming, and other malicious activities.

With observable enrichment with reputation generated from the threat information provided by VirusTotal, you can perform more efficient security investigations and automate alert triaging, reducing the noise with threat-aware prioritization.

Use cases

Once you set up the VirusTotal integration, you can enrich observables, such as IP addresses, with threat intelligence context.

Key use cases include:

Accelerate threat validation and streamline case triage in Investigations with external reputation data.
Enhance detection findings in Threats & Exploits with external reputation data.
IP enrichment with the Workflows app
1. In Workflows , create a new workflow or edit an existing one.
2. In the Choose action pane, search for AbuseIPDB and select the AbuseIPDB check IP action.
3. Enter the parameters required for the action to run.
4. Run the workflow to validate the action and review the results.
5. Continue with your automation definition.
Automated threat-alert triaging
Threat-informed security investigations Coming soon

Requirements

See below for the VirusTotal and Dynatrace requirements.

VirusTotal requirements

Dynatrace requirements

The following IAM permissions are required:

app-engine:apps:run
app-settings:objects:read
document:documents:read
settings:objects:read
storage:system:read
security-intelligence:enrichments:run

To run the enrichment workflow action, all the permissions above need to be enabled in Workflows Workflows as well.

Go to the settings menu in the upper-right corner of Workflows and select Authorization settings.
In Secondary permissions, search for and select the above-listed permissions.
Select Save.

Activation and setup

In Dynatrace, open Hub.
Look for VirusTotal and select Install.
Select Set up , then select Configure new connection.
Follow the on-screen instructions to set up the connection using the API key obtained in Prerequisites.
Allowed outbound connections are extended automatically with www.virustotal.com.
1. How to set up outbound connections
In Settings, go to Preferences > Limit Outbound Connections.
Select Add item and add the domain.
Select Save changes.
Test the connection to ensure the correct configuration and save it.

Details

How it works

1. Install and configure the app

Dynatrace integration with VirusTotal is an app that you can install from Hub.

The app delivers a workflow action for observable enrichment in Workflows Workflows.

To prevent accidental edits or deletions across environments, connection setup now includes owner-based access control. This ensures reliable automation, avoids unexpected configuration loss, and aligns with minimal access requirements.

For details on sharing and permissions, see Access control for Connectors.

2. Enrich observables

Various consumer apps can perform an on-demand enrichment of observables, for example, via a workflow action.

Dynatrace reaches out to VirusTotal to perform the observable enrichment.

Geolocation fields in enrichment results are sourced from the provider and can differ from the geolocation used in Dynatrace.
For more information, see FAQ: Geolocation differences.

3. Use the threat intelligence data

The threat intelligence context is displayed within the consumer apps or in Workflows Workflows, helping you drive smarter decisions.

Licensing and cost

For billing information, see Events powered by Grail.

FAQ

Which observable types are currently supported?

Supported observable types: IP addresses (more coming soon).

How will my VirusTotal API quotas will be affected from this integration?

For every new observable enrichment, we perform a single API call.

Why does geolocation differ between enrichment results and Dynatrace?

Geolocation fields in enrichment results (such as geo.country.iso_code, geo.country.name, and city/coordinates if available) are provided directly by the external provider (in this case, VirusTotal).

These values reflect the VirusTotal geolocation data and may differ from the geolocation used in Dynatrace features (such as Real User Monitoring or platform‑level geolocation).

Differences can occur because of different databases, update cycles, or mapping rules.

Explore in Dynatrace Hub

Enrich observables with threat intelligence from VirusTotal.